Find notable cyber news and cases, enriched with sources, timelines, and signals.

Storm-2561 fake enterprise VPN Hyrax infostealer activity

Malware Activity
First reported
Last updated
Happening score
H score 29
1 unique sources, 1 articles

Summary

Hide ▲

A fake enterprise VPN installer is now delivering Hyrax infostealer components that steal VPN credentials and maintain persistence on Windows systems. The operation matters because it disguises itself as legitimate VPN software, captures login data, and can keep reusing infected hosts for follow-on access.

Related Happenings

SilabRAT session-hijacking crypto-draining malware activity

Malware Activity
H score24 First: 10.06.2026 18:30 Last: 10.06.2026 18:30 Sources 1

About this happening: The **SilabRAT** **MaaS** operation is now offering a session-hijacking **remote access trojan** that can drain cryptocurrency and bypass **password** and **MFA** checks, expandin...

Check Point VPN CVE-2026-50751 targeted exploitation wave

Exploitation Wave
H score47 First: 08.06.2026 17:17 Last: 08.06.2026 17:17 Sources 1

About this happening: **CVE-2026-50751** is an **active exploitation wave** against **Check Point Remote Access VPN** and **Mobile Access** deployments that use **deprecated IKEv1**. The flaw is an **a...

JINX-0164 cryptocurrency recruitment-lure campaign

Campaign
H score39 First: 28.05.2026 10:54 Last: 28.05.2026 10:54 Sources 1

About this happening: A **JINX-0164** campaign is targeting **cryptocurrency firms** and developers with **LinkedIn recruiter lures**, a fake meeting-and-fix workflow, and **macOS malware** to steal cr...

Fake Claude PlugX phishing campaign

Campaign
H score34 First: 13.04.2026 12:52 Last: 13.04.2026 12:52 Sources 1

About this happening: A **February** phishing campaign used a **fake Claude website** and **fake meeting invitations** to deliver **PlugX** malware to recipients, turning a popular AI brand into a malw...

Latest development: 07.05.2026 13:02

A fake Claude AI site at claude-pro[.]com distributed Claude-Pro-windows-x64.zip, which drops NOVupdate.exe, NOVupdate.exe.dat, and avk.dll to sideload DonutLoader and load the Beagle backdoor on Windows. The backdoor uses license[.]claude-pro[.]com for command-and-control over TCP 443 and/or UDP 8080, and related Beagle samples were submitted to VirusTotal between February and April this year.

Warlock ransomware post-exploitation tooling upgrades

Malware Activity
H score38 First: 17.03.2026 17:36 Last: 17.03.2026 17:36 Sources 1

About this happening: The **Warlock ransomware group** has upgraded its post-exploitation toolset with **BYOVD**, **TightVNC**, and **Yuze**, making intrusions harder to detect and interrupt. In an obs...

Timeline

  1. 13.03.2026 15:23 2 articles · 3mo ago

    Microsoft details Storm-2561 fake VPN credential-theft campaign

    Technical Analysis Update

    Microsoft detailed a Storm-2561 campaign that used SEO poisoning and spoofed enterprise VPN download pages for Ivanti, Cisco, Fortinet, and other vendors to lure users to a fake GitHub-hosted MSI installer. When executed, the installer dropped `Pulse.exe`, `dwmapi.dll`, and `inspector.dll`, stole VPN credentials and `connectionsstore.dat`, persisted through the Windows `RunOnce` registry key, showed an installation error to reduce suspicion, and redirected victims to the legitimate vendor site; Microsoft also published IoCs and hunting guidance.

    Show sources